A Tech Veteran's Security Warning

Critical-infrastructure security was the main topic at the recent annual meeting of the International Information Systems Security Certification Consortium, known as (ISC)&sup2. The consortium is a nonprofit agency dedicated to training and certifying security professionals. At this year's meeting, Rep. Adam Putnam, R-Fla., chairman of the House subcommittee on technology, delivered a keynote speech on critical security issues. In the days following the event, PC Magazine also caught up with Howard Schmidt, who is eBay's chief information security officer. Each man provided illuminating comments on both corporate and government security.

"For far too long, cyber security has taken a back seat to physical security, and this lack of attention to network security is our Achilles heel," Putnam said in his address. "The importance of securing our national networks should not be underestimated. An open but secure network is the key to a successful economy."

Schmidt echoed those thoughts. Before his eBay days, Schmidt was the chief security officer at Microsoft, and he served as chairman of the President's Critical Infrastructure Protection Board, which developed and introduced the National Strategy to Secure Cyberspace. "We have people in the government who still do not believe that electronic security is as important an issue as it is in the physical world," Schmidt said. "There are cyber terrorist threats that could be devastating to our economy. For example, look at the SQL Slammer problem that arose in January. There were issues where ATM machines couldn't talk to their home databases. If that had been more widespread and prolonged, it would have seriously disrupted people who are dependent on getting ATM cash."

"Also," Schmidt continued, "last October we saw attacks on the top-level domain name servers. Had those been sustained attacks, we would have had problems where people just couldn't do their online activities. Another problem is that a lot of the digital control devices and SCADA [Supervisory Control and Data Administration] devices are part of network infrastructure, so power generating stations, water treatment plants, and other sites can be disrupted."

Schmidt does see some emerging technologies that hold promise for combating and reacting to cyber terrorism. "One technology that is very interesting is FSO, or Free Space Optics, from Terabeam," Schmidt said. "There's information on it at their Web site. FSO gives you the ability to communicate at gigabit speeds across the airwaves. You don't have to worry about cable that may be disrupted. You connect inside one building, point at another building a couple of kilometers away, and there's a successful connection. They successfully deployed that in the aftermath of September 11th to bring financial services back online. One of the big financial companies was using it to communicate with their offices in New Jersey."

Instant messaging and 3Gphones with SMS (short messaging system) are other technologies that Schmidt sees as potentially protecting communications during disasters. He also thinks the government must keep the ball rolling on security technology initiatives.

"When I was at the White House, we were pushing heavily for WPS [Wireless Priority System]," Schmidt said, "so that we would have the ability during a crisis to keep communications open. On September 11th, lots of people couldn't even get a cell phone signal. WPS can provide queuing so that people don't get knocked off of communication lines, but emergency services can still get priority. The Department of Homeland Security was pursuing that. I don't know what's happened to it since then."

The corporate world, Schmidt says, faces other security-related issues. "Complexity and lack of understanding of interdependencies are the big issues," he said. "I had a lot of experience talking to companies affected by Code Red. I asked IT people if they knew they were vulnerable. They said no, they didn't know that this or that system was vulnerable. Others that knew they had vulnerabilities were afraid to install patches outside their normal maintenance cycle, because they feared their applications might start breaking."

//Related Articles

"In order to help," Schmidt said, "it's important for the big hardware and software vendors to keep pushing security, and there won't be an overnight fix. All-in-one technologies that can check for viruses and malicious code, monitor patches, and do other kinds of automated checks of networks are important. There are some nice Web-based services out there for automated vulnerability assessments. These can check for vulnerabilities on an ongoing basis."

In the long run, Schmidt hopes to see what he calls a "security dashboard." "This," he said, "would sit on a system and function like a network meter. Here's the number of systems that are patched, and here's the number of systems configured properly."

Schmidt acknowledges, though, that better security will take time. "If someone came out tomorrow with perfectly secure hardware or software," he said, "it would still take three years to implement it."

Sebastian Rupley is Editorial Director for PCMagCast, PC Magazine's channel for live Web seminars and online events on tech topics for consumers and small businesses. Previously, he was West Coast Editor of PC Magazine for over a decade, where he oversaw news and feature stories for the publication, and represented the brand on panels and at conferences on the West Coast. He also served as Features Editor of PC/Computing magazine, managing and promoting many noted technology journalists.
A familiar face to leaders at technology companies, Sebastian...
More »

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service